Download Flash Memory `Bumping` Attacks

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
Transcript 
for some devices, the intermediate verification result is available as a part of the
standard protocol or can be easily requested. It becomes more complicated when
the block consists of multiple words of data, for example, if the verification is
performed after receiving every packet of 16 bytes. Still, as the verification is
done in hardware, memory contents must be read before the values are compared and this is done via a data bus of limited width. This way there will be
some inevitable delay between each word of data read from the memory. Hence,
with a fast enough fault injection one can influence the value of each word of the
data. This will be an example of a bumping attack (Fig. 2b). More interesting
results should be expected if the data latching time is slightly changed or if the
value of data is influenced on its way to the latches. This is possible because the
bits of data cannot reach the registers exactly at the same time. If this process
can be influenced with fault injection attacks it may allow certain bits of data to
be kept to a known state, thus making it possible to brute force the remaining
bits. There are two possible ways of applying selective bumping attacks – on the
rising edge of the fault injection or on the falling (Fig. 2b). However, both events
should happen close to the time when the data from memory is latched into the
data bus drivers.
Fig. 2. Timing diagram of a verify-only operation: (a)data blocks, (b)data words level
Term ‘bumping’ originally comes from a certain type of physical attack on
door locks [8]. The idea is to force the key bits into a desired state which will allow
access. In the context of the hardware security of semiconductors, ‘bumping’ shall
mean here bypassing the verification of a certain block of data by forcing the
data bus into a known state. Alternatively, ‘selective bumping’ shall mean that
certain bits of data are forced into known states allowing the remaining bits to
be searched through all possible combinations. Some parallels with lock bumping
can be observed. For example, Flash memory bumping attacks allow bypassing
the verification for certain words of data without knowing their real value. The
more powerful selective bumping attack allows masking of certain bits of data
within each word thus substantially reducing the attack time.
Related documents
Flash LOCK User Manual
Flash LOCK User Manual
as a PDF
as a PDF
Vulnerabilities and Attacks in Wireless Sensor Networks
Vulnerabilities and Attacks in Wireless Sensor Networks
Beko CDA 664 F Troubleshooting guide
Beko CDA 664 F Troubleshooting guide
4.96MB - 高知工科大学
4.96MB - 高知工科大学
1.88MB - 高知工科大学
1.88MB - 高知工科大学
Fault attacks on secure chips: from glitch to flash
Fault attacks on secure chips: from glitch to flash
Keyence BL-180 Manual
Keyence BL-180 Manual
From Basic HTML to Accessible Web 2.0 Using Dojo – Part 1
From Basic HTML to Accessible Web 2.0 Using Dojo – Part 1
NEOS152AXS - Amerco Brasil
NEOS152AXS - Amerco Brasil
Wiley Concise Guide to Dojo
Wiley Concise Guide to Dojo
µPD78F9842
µPD78F9842